HAB and encrypted boot (Linux)

after reading the reference manual chapters 12, 13 and 20 (Boot Modes, DCP and OCOTP) I'm still unsure how an encrypted and signed boot process would be set up.

My idea is that I have a uImage of the Linux Kernel. Signing that with the Freescale code signing tool will generate a HAB.ELF file. Then 'elftosb' takes HAB.ELF and uImage as input and produces a SB file which represents a signed boot stream.

If this image is flashed and the HAB_CONFIG OTP bits are set to HAB_CLOSED the CPU will boot this image resp. fail to do so if the image in flash is not signed (of course the SRK OTP has to be programmed too).

Is this correct so far?

So, on the next step I programm the CRYPTO_KEY OTP and use the DCP to encrypt my image with CRYPTO_KEY. Now I have an encrypted image, but how do I tell the boot ROM that the image is encrypted and not just garbage?

A Linux image does exist that provides a secure/encrypted Linux boot on i.MX28. However, this image is not available publicly and requires an NDA. The AN4555 application note is intended to provide all the information required to perform both a secure boot with HAB as well as an encrypted boot on i.MX28. Is there a specific problem you are having? If so, the Freescale team can address your questions here.

If you would add me as your friend I could send you a PM. I am sorry to ask you this but unfortunately there is really no choice to contact you via this forum. Due to that fact I post my answer here and hope you see it.

The interesting thing is that it took us months to receive the presentation of yours just to find out that it is obsolete? Can you tell me exactly for what I should ask? It would be very helpful for me to see the code changes.

And yes there are questions. I hope I can adress them to you because I did not found any contact information in the app note.

on page 15 .. about what linker file are you talking? can you tell me the exact name? if it is uboots linker file where do i find them? can I use the board supports package uboot or do i have to use the official one from denx' git repository?

is the IVT image vector table created automatically? I found something in /rootfs/boot which ended with ivt. this is created by the updater-script which is invoked by the ltib script. do I have to change anything to produce the correct ivt?

From where do I get the adress spaces I would like to sign? these values must be known if I would like to produce a correct csf.

It would be great if you or someone else could answer me these questions!

The linker script is an example, as the syntax and content is likely related to the compiler/linker.

If it is the one in u-boot, then you will need to get the u-boot from a git repository or the linux BSP that you can download from the Freescale web site.

I guess that you need to get familiar with u-boot first, and then you will be able to add the necessary pieces required for a secure boot. You can surely find support on u-boot in the related community.

Typically, the linker script is here:

./board/freescale/mx28_evk/u-boot.lds

The idea with the linker script is to reserve some space for the security related data used during boot. By adding this, it is therefore possible to automatically resolve the address that must be provided to the Image Vector Table (IVT).

That is the entry point for the ROM code of the i.MX28 to find each elements needed for the boot.

You can get more information in the chapter "Boot modes", and "program image" of the reference manual.

If you look at the figure 5 in the app note, the signed part is typically from start of the IVT to the end of the image data. That gives you the start address and size of the code.

./board/freescale/mx28_evk/config.mk (start address where u-boot will be linked).

I'm trying to solve kind of the same problem here. The u-boot that comes with the ltib has both a non-secured and secured (_ivt_) bootstream as output. However, if I download the latest u-boot-imx.git and build that in a separate folder, the only output I get is a non-secured u-boot.sb. Doesn't the u-boot imx-tree provide in adding this security? Or can it be added afterwards with the u-boot.bin as input, without changing linker scripts and all (as described in AN4555)?

I did request a download for the Freescale code signing tool. Perhaps this can be the solution, but I would prefer a "built-in" solution from the Linux command line.

I think I solved this myself by using the "./ltib -p boot_stream.spec -f" command from ltib. By copying the generated u-boot file from the separate project dir to ltib/roots/boot and using this command, a secured bootstream is created for the new u-boot. This u-boot is not working properly yet, but at least it starts....